Showing results for 
Search instead for 
Did you mean: 

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.


SA520: problem when trying to access HTTPS over custom port in a site-to-site vpn


We've set up a site-to-site VPN between our SA520 and our SmoothWall running at our data center. The tunnel is always connected, so that part runs fine

What works fine:

- Client is able to start an RDP session (on it's default port 3389) to server

- Client can open a webpage which is hosted on server (hosted on the default HTTP port 80)

What doesn't work:

- Client cannot open web page which is hosted on server at the following url:

- or, for that matter, any https service in the 192.168.3.x LAN which runs on a different port

To summarize:

from the 192.168.11.x subnet, accessing services running on default ports (i.e. 80, 3389, 21) in the 192.168.3.x subnet works fine. doing the same for services running on custom ports (i.e. https over port 441) the connection to the webserver times out.

Thanks in advance for any help you may provide.



Hi Glen, thank you for using our forum, my name is Luis I am part of the Small business Support community. In this case I think you should check your firewall settings in your SmoothWall, I advise you create an ACL from the remote WAN to your LAN, or if you want to be more specific the servers IP address. If the issue continues you should check the servers firewall as well.

I hope you find this answer useful


Luis Arias.

Cisco Network Support Engineer.

hi luis,

thank you for your reply. we've checked the smoothwall configuration, but couldn't discover anything which could cause this problem. we even tried replacing the sa520 with a draytek vigor router to set up an lan-to-lan vpn with the smoothwall. with the draytek in place we have no problems accessing the aforementioned servers, so it seems the issue is with the SA520.

what exactly do you mean by creating an ACL from the remote WAN to our LAN? i assumed you meant creating a firewall rule, allowing traffic from the remote device's public ip to our LAN. however, in that case i need to enter an ip address of a device in our LAN, or else i cannot save this rule. as a test i entered the ip address of my machine as the destination address, but am still unable to access the aforementioned servers.

here's how i set up the rule:

from zone: UNSECURE (WAN/optional WAN)

to zone: LAN

service: ANY

action: ALLOW always

schedule: (not set)

source hosts: Single address

from: public ip of one of the aforementioned servers

source NAT settings > external IP address: WAN interface address (cannot change this setting)

source NAT settings >WAN interface: dedicated WAN (cannot change this setting)

destination NAT settings > internal ip address: (ip address of my machine)

enable port forwarding: unchecked

translate port number: empty

external IP address: dedicated WAN

Recognize Your Peers
How would you describe your level of technical expertise?